Professional Documents
Culture Documents
The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help Portal.
Note
This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE
and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by
SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other
SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other
countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Table of content
PUBLIC Page 1 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Table of content
1 Security Guide for SAP BW
2 User Management and Authentication
2.1 User Management
2.2 Authentication and Single Sign-On
3 Authorizations
3.1 Authorization Log for Analysis Authorizations
3.2 Checking Analysis Authorizations as Another User
3.3 Using ABAP Routines in the Analysis Process Designer
4 Network and Communication Security
4.1 Communication Channel Security
4.2 Communication Destinations
4.3 Network Security
4.4 Web Services und ICF Services in BW
5 Security for Data Storage
6 Security-Related Logging and Tracing
7 Further Security-Relevant Information
8 Security-Related Information for BI Java
8.1 User Management and Authentication
8.1.1 User Management
8.1.2 Authentication and Single Sign-On
8.1.2.1 Calling BEx Web Applications from the Portal
8.1.2.2 Information Broadcasting as Background Processing
8.1.2.3 Information Broadcasting in the Web
8.1.2.4 Publishing to the Portal
8.2 Network and Communication Channel Security
8.2.1 Communication Channel Security
8.2.2 Communication Destinations
8.3 Security with Data Storage
8.4 Other Security-Relevant Information
PUBLIC Page 2 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Security Guide for SAP BW
Use
Caution
This guide does not replace the administration or operation guides provided for productive operations.
Target Group
Technology consultants
Security consultants
System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. These guides are only
relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, security requirements are also becoming more prominent. When
using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical
information. User errors, negligence, or attempted manipulation of your system cannot be allowed to result in loss of information or processing time. These security
requirements also apply to SAP BW (BW). We have provided this security guide to help you to make BW more secure.
SAP Business Warehouse integrates, transforms, and consolidates data from all areas of an enterprise so that it can provide this information for analysis,
interpretation and distribution. This includes confidential corporate data, such as personal data from personnel administration. This data forms the basis of
decisions and target-oriented actions in all enterprise areas. Secure data access and data integrity are therefore of paramount importance.
The following examples illustrate some of the risks that the BW system can be exposed to:
Attacks from the Internet or intranet when using SAP BEx Web functionality and Web services
Infringement of data protection guidelines as a result of unauthorized access to personal data
About This Document
The Security Guide provides an overview of the security-relevant information that applies to SAP BW and SAP Business Explorer (SAP BEx).
Important Security Information
SAP BW and SAP BEx build on Application Server ABAP, Application Server Java in cases where usage type BI Java is used, and on the portal. The Security
Guide for SAP NetWever BW describes additional security information or information that deviates from that which applies to usage types AS ABAP and AS Java.
The table below provides an overview of other relevant security guides:
Application Server ffor ABAP SAP NetWeaverSAP NetWeaver Application Server ABAP Security Guide
Application Server ffor Java SAP NetWeaver Application Server for JavaSAP NetWeaver Application Server for Java
Security Guide
You can find a complete list of all available SAP Security Guides in the SAP Service Marketplace at http://service.sap.com/securityguide .
Additional Information
For more information about specific topics, see the Quick Links in the table below.
Security http://scn.sap.com/community/security
Use
SAP BW (BW) uses the user management and user authentication mechanisms of the SAP NetWeaver platform, especially the mechanisms in SAP NetWeaver
Application Server for ABAP and Java. For this reason, the security recommendations and guidelines for user management and authentication contained in the
SAP NetWeaver Application Server for ABAP Security Guide and the SAP NetWeaver Application Server for Java Security Guide are also valid for BW. In
addition to these guidlines, the following sections also provide you with specifically BW-related information about user management and authentication.
Use
User Management for SAP BW uses the mechanisms - such as tools and user types - contained in the SAP NetWeaver Application Server.
For more information, see the User Management section in the Security Guide for SAP NetWeaver.
User
Standard users that are created when the BW system is installed
More information: Protecting Special Users .
Caution
Change initial passwords after installation to ensure that standard users cannot be misused.
Standard users that are specified when Application Server Java is installed.
For more information, see User Administration and Standard Users, in the SAP NetWeaver Application Server for Java Security Guide.
Caution
Change initial passwords after installation to ensure that standard users cannot be misused.
BW Database Users Database Users You can find information about database
users in the Security Guide for operating
systems and database platforms.
SAP Source System Background Users in the SAP Source Technical User The background user in the SAP source
System system is used for communication with
BW and for the extraction of data.
If you connect an SAP source system to
BW, the background user is created in the
source system. You can create the user
directly in the source system in user
maintenance. In BW Customizing, you can
enter a name in the Implementation Guide
to use as the default name for the
background user when you connect a new
source system (under Connections to
Other Systems Connections Between
SAP Systems and BW Systems
Maintain Proposal for Users in the Source
System (ALE Communication) ). If the
source system you are using is also a BW
system, SAP recommends that you create
the background user for BW and the
background user for the (BW) source
system completely separately. The
authorization profile for the background user
in the source system is S_BI-WX_RFC
(see Authorization Profiles for Background
Users ).
PUBLIC Page 4 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Authorization Profiles for Working with the
Data Warehousing Workbench
BW Authors and Analysts Individual User Authors and analysts require advanced
analysis functionality and the ability to
perform special data analysis. To
accomplish their tasks, they need useful,
manageable reporting and analysis tools.
More information:
Authorizations for Query Definition and
Information Broadcasting
BW Executives and Knowledge Workers Individual User Executives and knowledge workers require
personalized, context-related information
provided in an intuitive user interface. They
generally work with pre-defined navigation
paths, but sometimes need to perform
deeper data analyses.
More information:
Analysis Authorizations
Use
The authentication process makes it possible to check a user's identity before granting them access to BW or BW data. SAP NetWeaver supports various
authentication mechanisms.
BW uses the authentification and single-sign-on mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user
administration and authentication (described in the SAP NetWeaver Security Guide) also apply to BW.
For more information, see the section on user authentication and single-sign-on in the SAP NetWeaver Security Guide.
Authentication and Single-Sign-On Mechanisms for BW
User ID and Password
BW uses a user ID and a password for logon.
For more information, see Logon and Password Protection in SAP Systems.
Secure Network Communications (SNC)
BW supports Secure Network Communications (SNC).
For more information, see Secure Network Communications (SNC).
SAP Logon Tickets
BW supports SAP login tickets. To make Single Sign-On available for several systems, users can obtain an SAP logon ticket after logging on to the SAP system.
The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password
for authentication but can access the system directly after the system has checked the logon ticket.
For more information, see SAP Logon Tickets.
Client Certificates
As an alternative to user authentication with user ID and passwords, users with Internet applications via the Internet Transaction Server (ITS) can provide X.509
client certificates. User authentication then takes place on the Web Server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be
transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
More information: X509 Client Certificates.
3 Authorizations
Use
To ensure that SAP BW represents the structure of your company and meets your company's requirements, you have to define who has access to what data.
There are two different authorization concepts for this depending on the role and tasks of the user:
Standard Authorizations
You use these authorizations for the various SAP BW tools, in the Data Warehousing Workbench or in BEx Query Designer for example. The authorization
concept for standard authorizations is based on the AS ABAP authorization concept.
Analysis Authorizations
You use these authorizations to provide access to transaction data belonging to authorization-relevant characteristics, to sales data for example.
Authorizations of this type are not based on the AS ABAP authorization concept. They use their own concept based on the needs of BW reporting and
analysis instead.
Critical Authorizations
Critical Analysis Authorizations
Authorization Description
PUBLIC Page 5 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
0BI_ALL (authorization for all values of all authorization-relevant characteristics) Every user with this authorization can access all the data at any time. Every user who
has a profile containing authorization object S_RS_AUTH and who has entered 0BI_ALL
(or has included it using an asterisk (*), for example), has complete access to all data.
For more information, see the documentation for analysis authorizations, under
Assigning Authorizations to Users.
S_RS_RDEAD (BW Role: Administrator (Development System)) These authorization templates contain wide-ranging authorizations on authorization
object S_RFC.
S_RS_RDEMO (BW Role: Modeler (Development System)) These authorization templates contain authorizations for all InfoProviders on
authorization object S_RS_COMP.
More Information
Authorizations in the Documentation for SAP BW
Authorization Log for Analysis Authorizations
Checking Analysis Authorizations as Another User
Using ABAP Routines in Analysis Process Designer
Use
A tool is available for analysis authorizations, which enables you to analyze authorization checks. It provides detailed information on authorization-relevant data
access instances. This check can be switched on or off permanently, or as and when required - depending on the users involved. Access to this analysis tool
should be protected using transaction RSECPROT and authorization object S_RSEC. Only authorized users should have access to the tool.
More information: Error Log
Use
On the analysis authorization management screen, you can call specific transactions as another user by choosing Execute as... on the Analysis tab page. All
checks for analysis authorizations (and only these authorizations) are run for the specified user. This makes it possible for a user to gain access to more
authorizations than s/he would normally have. This transaction should therefore be specially protected using authorization object S_RSEC.
More information:
Management of Analysis Authorizations
Overview: Authorization Objects
Use
In the Analysis Process Designer, you can transform data using an ABAP routine.
Note that when you create and edit the ABAP routine in an analysis process, S_DEVELOP is not checked. You need authorization for the authorization object
RSANPR and activity 36 (extended maintenance).
In productive systems in particular, this can result in a situation where unauthorized users can edit and execute ABAP routines.
Use
Your network infrastructure is extremely important for your system security. Your network needs to support the communication necessary for your business needs
without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at operating system level and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database
layer, then there is no way for intruders to compromise the machines and gain access to the backend system's database or files. In addition, if users are not able
to connect to the server LAN (local area network), they cannot exploit known bugs and security gaps in network services on the servers.
The network topology for the SAP BW (BW) is based on the topology used by the SAP NetWeaver platform. For this reason, the security guidelines and
recommendations described in the Security Guide for SAP NetWeaver are also valid for BW. Details that are especially relevant for BW are described in the
PUBLIC Page 6 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
following sections.
Use
BW uses the following communication paths and protocols:
RFC is used as the protocol for the following communication paths:
Front end and application server
Application server to application server
AS Java and application server
SAProuter and application server
Connection to database
For more information on the secure usage of RFC for communication between systems, see RFC/ICF Security Guide.
HTTP, HTTPS, SOAP is used as the communication path between Web browser and application server.
RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)
protocol. SOAP connections are protected with Web services security.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see "Transport Layer Security and Web Services Security" in the SAP NetWeaver Security Guide.
Use
Connection destinations are required in the following BW areas:
Using TREX
RFC destination in the BW system
For more information, see BW Customizing under TREX Connection .
Connecting data sources to the BW system
These destinations are not usually shipped with the software. Instead, they are created on the customer's system.
If you want to connect SAP systems and non-SAP data sources (as source systems) to BW, you usually need RFC destinations.
To use UD Connect, you need an RFC destination to the Application Server Java. For more information, see BW Customizing under UDI Settings by
User Scenarios UD Connect Settings .
The Myself BW destination is automatically created when the BW Data Warehousing Workbench is opened for the first time.
The background user and the background user in the source system are responsible for communication between BW and source systems (in the case of
SAP source systems). The BW background user requires the S_BI-WHM_RFC authorization profile. The background user requires the S_BI-WX_RFC
authorization profile in the SAP source system. For more information, see Authorization Profiles for Background Users.
Use
When using the BW, note the information under "Network and Communication Security" in the SAP NetWeaver security guidelines.
We recommend the use of firewalls to control the network traffic in your system landscape. A firewall comprises hardware and software components that specify
which connections are permitted between communication partners. The firewall only allows the specified connections to be used. All other others are blocked by
the firewall. For more information, see "Using Firewall Systems for Access Control" in the SAP NetWeaver security guidelines.
To secure RFC connections or connections with Internet protocols, we recommend that you use Secure Network Communications (SNC) or Secure Sockets Layer
(SSL) as your security method.
Use
Various different Web services and ICF services are delivered with SAP Business Warehouse.
ICF Services
ICF services are based on the Internet Communication Framework (ICF) of the SAP NetWeaver Application Server. ICF services are HTTP services that are used
to execute HTTP request handlers. The BW HTTP services allow you to display or exchange BW data using a URL. Some of these services are implemented as
Web services.
Structure of the URL
The URL of an HTTP service delivered in a BW namespace has the following structure:
<Protocol>://<Server>:<Port>/sap/bw/<Service>
URL Prefix
PUBLIC Page 7 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
The values used for the place holder in the specified URL schema depend on the installation. For <Protocol>, http and https can be selected. For <Server>, enter
your message server.
You can check which URL prefix your BW system has generated as follows:
1. Call Function Builder (transaction SE37).
2. Enter RSBB_URL_PREFIX_GET as the function module.
3. Choose Test/Execute. The Test Function Module screen appears.
4. As import parameter I_HANDLERCLASS, enter the name of the ICF handler (HTTP Request Handler) for the required service.
Note
You can find out the name of the ICF handler in the Maintenance of Services (transaction SICF). Navigate to the required service component in the HTTP
service tree. Double-click to open the Change/Create a Service dialog box. The HTTP request handler for the service is displayed on the Handler List
tab page.
5. Choose Execute. Export parameter E_URL_PREFIX contains the generated URL prefix.
Service:
Enter the technical name of the required service here. The name comprises all the elements of the path in the HTTP service tree (transaction SICF).
Prerequisites for Using the Service
The required HTTP service must be active.
Note
To check this, navigate to the required service component in Service Maintenance (transaction SICF). If the service is active, you cannot select the Activate
Service entry in the context menu.
Delivered Service
The following service is implemented as a Web service:
Open Analysis Interfaces (see XML for Analysis)
Use
Data Storage
In BW, data is stored on the application server database.
If end users evaluate data using Microsoft EXCEL, they can also store data locally. The end user has to make sure that no unauthorized person can access the
locally stored data.
You can protect data from being accessed by unauthorized end-users by assigning analysis authorizations. In the default setting, data is not protected. However,
you can flag InfoObjects in BW as authorization-relevant (see Tab Page: Business Explorer). Data can then only be accessed if the user has the required
authorizations.
Data in BW is mainly accessed for read purposes. In planning however, data is also modified. More information: Planning Engine.
Protecting Access to the File System Using Logical Paths and File Names
In transaction RSCRM_BAPI, query extracts can be created by writing the query results to files on the application server. To maintain system integrity, it is
important to specify where these files will be explicitly stored. This is done by specifying logical paths and file names that are assigned to the physical paths.
This assignment is validated at runtime to ensure that files are generated in the correct name range.
The following lists show the logical file names and paths used in this context and the programs that these file names and paths apply to:
Logical File Name Used in this Application
The following logical file name has been created in order to enable validation of physical file names:
RSCRM_FILE_EXTRACT_PATH
Programs that use this logical path name and the parameters used in this context:
RSCRM_BAPI_REMOTE
CL_RSCRMBW_TOOLS
Logical Path Names Used in this Application
The logical file name listed above uses the logical path name RSCRM_FILE_EXTRACT_PATH.
We recommend defining the physical path that is assigned to the temporary directory.
Activate Validation of Logical Paths and File Names
These logical paths and file names are specified in the system for the corresponding programs. To ensure downward compatibility, validation at runtime is
deactivated by default. To activate validation at runtime, specify the physical path with transactions FILE (non-client specific) and SF01 (client-specific). To find
out which paths are used by your system, you can activate the relevant settings in the security audit log.
More information:
PUBLIC Page 8 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Logical File Names
Protecting Access to the File System Using Logical Path and File
Security Audit Log
Data Protection
LOPD Access Logging in Reporting and Planning Applications
The Spanish data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) stipulates certain rules that companies have to observe
when processing, saving and handling personal data. These rules involve logging all access to highly-sensitive personal data. SAP BW provides a mechanism
for LOPD logging of access to data in reporting and planning applications. For more information, see SAP Note 933441 .
Use
Logging Security-Related Changes and Authorization-Related Activities
The following tables are used to log changes to analysis authorizations and other authorization-related activities:
RSUDOLOG
This table contains log information about execution of a query (or other transaction) in the administration transaction for analysis authorizations in Query Monitor
(transaction RSRT) by one user for another.
For further information about executing transactions (especially RSRT) with another user, see Management of Analysis Authorizations and Checking Analysis
Authorizations as Another User.
The log data includes the following:
User name of the user who has executed a transaction under another user name
User name of the other user
The transaction that was executed
Password prompt flag
Flag to show correct password entered
Session ID
Time stamp
RSECVAL_CL
This table contains log information about changes to value authorizations. The log data includes the following:
The authorization that was changed
The characteristic that the authorization was changed for
Object version of the characteristic
Session ID
Time stamp for the change
RSECHIE_CL
This table contains log information about changes to hierarchy authorizations. The log data includes the following:
The authorization that was changed
The characteristic that the authorization was changed for
Object version of the characteristic
Hierarchy-specific data
Session ID
Time stamp for the change
RSECUSERAUTH_CL
This table contains log information about the assignment of analysis authorizations by users in the administration transaction for analysis authorizations.
More information: Assigning Information to Users
The log data includes the following:
Authorization
Use name of the user whom the authorization was assigned to
Time stamp
Session ID
Note
You can analyze changes to value and hierarchy authorizations and to user-user authorization assignments using InfoProviders from the technical
content. More information: Change Documents (Legal Auditing).
RSECTXT_CL
This table contains log information about changes to authorization texts. The log data includes the following:
The authorization that was changed
The authorization's short, medium and long text
Session ID
Time stamp for the change:
RSECSESSION_CL
This table contains log information about user activities in the session, including the date and time of any changes made. You can use this table to find out which
user values, hierarchy authorizations or authorization texts have been changed.
Logging LOPD-Relevant Access in Reporting and Planning Applications
SAP BW provides a mechanism for logging access in reporting and planning applications, which are security-related in accordance with the Spanish data
PUBLIC Page 9 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) sicherheitsrelevant sind. For more information, see SAP Note 933441 .
Use
E-mail encryption when distributing BEx objects
Information broadcasting uses SAP NetWeaver interface SAPconnect to create and send e-mails with BEx objects. This interface does not support encryption or
certificates. E-mails created in the SAP system using Information Broadcasting are therefore not encrypted and do not have certificates.
However, SAP supplies you with an additional product from another provider (the Secure Email Proxy), which allows you to encrypt e-mails.
More information: SAPconnect, in particular the section section Secure Email
Use
The following sections provide security-related information to supplement the Security Guide for SAP BW when using usage type BI Java. These sections do not
constitute a security guide in their own right. They should be read in conjunction with the corresponding sections in the Security Guide for SAP BW.
Use
For information about standard users that are specified during installation of Application Server Java, see the SAP NetWeaver Application Server for Java
Security Guide, under User Management and Standard Users .
Caution
Change initial passwords after installation to ensure that standard users cannot be misused.
Use
The portal is the central entry point for users in SAP NetWeaver. It supports and issues SAP logon tickets. BEx Web applications are usually called from the
portal. The integration of BW and the portal enables access from BW too, where Single Sign-On is also supported.
The following graphic illustrates the interaction between BW and the portal in terms of single sign-on:
PUBLIC Page 10 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
8.1.2.1 Calling BEx Web Applications from the Portal
Calling BEx Web applications from the portal is like calling applications from other components. Single-sign on means that you do not have to log on to BW
manually.
Overview
Portal (explicit authentication at the portal; Web browser → BEx Web application (implicit authentication in BW with
receives portal ticket) portal ticket)
The following settings have to be made for Single Sign-On when calling BEx Web applications from the portal:
BW system must accept tickets
BW system must have imported the portal certificate in order to authenticate tickets from the portal
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → SAP Business Warehouse → Settings for Reporting and Analysis → BEx Web → Integration into
the Portal
→ Configuring Single Sign-On in the BW System
→ Exporting the Portal Certificate in the Portal
→ Import the Portal Certificate to the BW System
PUBLIC Page 11 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
When using distribution by e-mail and precalculation of BEx workbooks with Microsoft Excel, no portal functions are required.
Overview
Precalculation and generation of documents (explicit → Storage of documents in Knowledge Management (implicit
authentication in the BW occurs during job scheduling) authentication in the Portal with BW ticket)
BEx Broadcaster (explicit authentication in BW, Web → Input help (explicit authentication in the portal because the
browser receives BW ticket) portal does not accept a BW ticket)
Portal (explicit authentication at → BEx Broadcaster (implicit → Input help (implicit authentication
the portal; Web browser receives authentication in BW with portal at the portal with portal ticket)
portal ticket) ticket)
BEx Broadcaster (explicit authentication in BW, Web → Input help (implicit authentication at the portal because the
browser receives BW ticket) portal does not accept a BW ticket)
Multiple portals can be connected to a BW system. See SAP Customizing Implementation Guide → SAP NetWeaver → SAP Business Warehouse → Settings
for Reporting and Analysis → BEx Web → Integration into the Portal → Maintain Portal Server Settings for the Portal. The portal that is designated as the standard
portal is used when the input help for the KM folder is called.
BEx Web Application Designer (explicit authentication in → Portal (implicit authentication on the portal with BW ticket)
BW system, BW ticket available)
For publication to the portal in BEx Web Application Designer, the following settings must be made:
The BW system must generate tickets
The portal must have imported the BW system BW certificate, in order to authenticate tickets from BW
You must configure the user assignment in the portal if the technical user names are not the same.
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → Business Intelligence → Settings for Reporting and Analysis → BEx Web → Integration into the
Portal
→ Configuring Single Sign-On in the BW System
→ Exporting the BW Certificate in the BW System
→ Importing the BW Certificate into the Portal
→ Configuring User Assignments in the Portal
PUBLIC Page 12 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
8.2.1 Communication Channel Security
Use
When using BI Java, there is another communication path: AS Java and Application Server This connection uses RFC.
HTTP, HTTPS, SOAP is used as the communication path between Web browser and application server. When using Web applications, we recommend
activating encryption for HTTPS.
For more information about the communication paths for AS Java and the associated security mechanisms, see Transport Layer Security .
Use
When using BI Javam the following connection destinations may be required:
BEx Web
RFC destination on the Application Server Java
RFC destination for portal
For more information, see Automatically Configuring BI Java .
Connecting UD data sources to the BW system
To use UD Connect, you need an RFC destination to the Application Server Java. For more information, see BW Customizing under UDI Settings by
User Scenarios UD Connect Settings .
The background user and the background user in the source system are responsible for communication between BW and source systems (in the case of
SAP source systems). The BW background user requires the S_BI-WHM_RFC authorization profile. The background user requires the S_BI-WX_RFC
authorization profile in the SAP source system. For more information, see Authorization Profiles for Background Users .
Use
Data Storage
If evaluations and analyses are called using BEx Web applications, data is displayed in a Web Browser. Data is then stored in a browser cache. We recommend
always deleting the browser cache after evaluating data.
Data Protection
Using BEx Tools in SAP NetWeaver 2004
If using BEx tools in SAP NetWeaver 2004, note the following:
BEx Web applications can be implemented either as stateful or stateless applications. Use the BEx Web runtime for Web application session cookies with a
state to combine independent requests (the function calls in a Web application, navigation steps for example) for a session. These cookies are called sap-
contextid. The cookie contains a generated ID as a value. This ID allows the relevant session to be identified on the server. The session cookie is a temporary
cookie. It is deleted automatically when the browser window is closed. The server also has a timeout parameter. The session cookie is invalid after the timeout and
can no longer be used for navigating in a Web application. Using Web template attribute NO-SESSION_COOKIE , you can use the session coding in the URL
for the Web application. In this case, no session cookies are generated. To ensure that the Web application uses the session coding in the URL, set X for the NO-
SESSION_COOKIE attribute.
Use
SAP BEx uses JavaScript in the Web Browser when executing Web Applications. For minimum configuration, you have the option of deactivating JavaScript.
However, we recommend that you do not deactivate JavaScript. Deactivating JavaScript means that it is no longer possible to use all of the Web items and
dialogs on the Web. Navigation options in Web applications would also be considerably restricted.
PUBLIC Page 13 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.